LiveActive security incident?Get immediate response
CVE Record

CVE-2022-50213: netfilter: nf_tables: do not allow SET_ID to refer to another table

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: do not allow SET_ID to refer to another table When doing lookups for sets on the same batch by using its ID, a set from a different table can be used. Then, when the table is removed, a reference to the set may be kept after the set is freed, leading to a potential use-after-free. When looking for sets by ID, use the table that was used for the lookup by name, and only return sets belonging to that same table. This fixes CVE-2022-2586, also reported as ZDI-CAN-17470.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2022-50213 is a Linux kernel netfilter/nf_tables flaw. Under specific table and set handling, the kernel could keep a reference to memory after it was freed, creating a potential use-after-free condition. The source does not provide CVSS, impact outcome, or confirmed exploitation.

Executive priority

Prioritize normal kernel patch management, escalating for critical Linux infrastructure once exposure is confirmed. The vulnerability is a kernel memory-safety issue, but the provided evidence lacks severity scoring, confirmed exploitation, and operational prerequisites.

Technical view

nf_tables could resolve a same-batch SET_ID lookup to a set in another table. If that table was removed, a reference to the freed set could remain. The upstream fix restricts ID lookups to sets belonging to the same table used for name lookup.

Likely exposure

Exposure is limited to Linux systems running affected kernel versions or builds identified by the CVE record and carrying the vulnerable nf_tables behavior. The bundle lists Linux kernel versions including 3.16, 4.19.256, 5.4.211, 5.10.137, 5.15.61, 5.18.18, 5.19.2, and 6.0 as affected.

Exploitation context

The source bundle does not cite active exploitation, public exploit use, KEV listing, required privileges, or attacker location. It states this fixes CVE-2022-2586, also reported as ZDI-CAN-17470. Treat exploitability details as incomplete unless vendor or distribution advisories add context.

Researcher notes

Focus review on nf_tables set lookup behavior across tables during batched operations. The key invariant is that SET_ID lookup must only return sets in the same table used for lookup by name. Evidence is source-level and sparse on exploitability.

Mitigation direction

  • Apply distribution kernel updates that include the referenced stable fixes.
  • Reboot systems into the fixed kernel after patching.
  • Prioritize internet-facing or shared Linux infrastructure after confirming affected kernels.
  • Check vendor guidance if no fixed package is available.
  • Track related advisories for CVE-2022-2586 and ZDI-CAN-17470 context.

Validation and detection

  • Inventory Linux kernel versions across servers, appliances, and images.
  • Compare kernel builds with vendor advisories and referenced stable commits.
  • Confirm patched systems booted into the updated kernel.
  • Document systems where kernel updates are deferred.
  • Avoid marking active exploitation unless a cited source supports it.
Prepared
Confidence
medium
Sources
9

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-50213 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
8Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux958bee14d0718ca7a5002c0f48a099d1d345812a, 958bee14d0718ca7a5002c0f48a099d1d345812a, 958bee14d0718ca7a5002c0f48a099d1d345812a, 958bee14d0718ca7a5002c0f48a099d1d345812a, 958bee14d0718ca7a5002c0f48a099d1d345812a, 958bee14d0718ca7a5002c0f48a099d1d345812a, 958bee14d0718ca7a5002c0f48a099d1d345812aunaffected
LinuxLinux3.16, 0, 4.19.256, 5.4.211, 5.10.137, 5.15.61, 5.18.18, 5.19.2, 6.0affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.